Introduction

Kernel security levels have been introduced back in 4.4 to use file flags as a mechanism to enhance security. Ususally the system is running at a level 1, which can be checked with sysctl kern.securelevel, once the level has been set in the bootup process using the securelevel option in /etc/rc.conf you cannot lower the level anymore, but you are allowed to raise it to either 1 or 2.

The ?sysctl variable kern.securelevel is a variable that is usually -1 or 0, and can be raised during normal operation to disallow certain operations in the filesystem to increase security.

Securelevel restrictions

secmodel_bsd44(9) defines the following restrictions:

-1 Permanently insecure mode

Don't raise the securelevel on boot

0 Insecure mode

The init process (PID 1) may not be traced or accessed by ptrace(2), systrace(4), or procfs.